Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes
|
|
- Camron Allison
- 5 years ago
- Views:
Transcription
1 Technical Report TI-5/02 (9th August 2002) TU Darmstadt, Fachbereich Informatik Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes Bodo Möller Technische Universität Darmstadt, Fachbereich Informatik Abstract. Mix chains as proposed by Chaum allow sending untraceable electronic without requiring trust in a single authority: messages are recursively public-key encrypted to multiple intermediates (mixes), each of which forwards the message after removing one layer of encryption. To conceal as much information as possible when using variable (source routed) chains, all messages passed to mixes should be of the same length; thus, message length should not decrease when a mix transforms an input message into the corresponding output message directed at the next mix in the chain. Chaum described an implementation for such length-preserving mixes, but it is not secure against active attacks. We show how to build practical cryptographically secure lengthpreserving mixes. The conventional definition of security against chosen ciphertext attacks is not applicable to length-preserving mixes; we give an appropriate definition and show that our construction achieves provable security. Keywords: Cryptographic r ers, chosen ciphertext attack security, public-key cryptosystems with length-expanding decryption 1 Introduction Chaum s mix concept [5] is intended to allow users to send untraceable electronic without having to trust a single authority. The idea is to use a number of intermediates such that it suffices for just one of these to be trustworthy in order to achieve untraceability. (The sender does not have to decide which particular intermediate he is willing to trust, he just must be convinced that at least one in a given list will behave as expected.) These intermediates, the mixes, are r ers accepting public-key encrypted input. Messages must be of a fixed size (shorter messages can be padded, longer messages can be split into multiple parts). To send a message, it is routed through a chain of mixes M 1,..., M n : the sender obtains the public key of each mix; then he recursively ( encrypts the message (including the address of the final recipient) yielding E M1 EM2 (... E Mn (payload)...) ) where E Mi denotes encryption with M i s public key, and sends the resulting ciphertext to mix M 1. (The public-key cryptosystem will typically be hybrid, i.e. involve use of symmetric-key cryptography for bulk data encryption.) Each mix removes the corresponding layer of encryption and 1
2 forwards the decrypted message to the next mix; thus mix M n will finally recover payload. Each mix is expected to collect a large batch of messages before forwarding the decryption results. The messages in the batch must be reordered (mixed) to prevent message tracing. It is important to prevent replay attacks a mix must not process the same message twice, or active adversaries would be able to trace messages by duplicating them at submission to cause multiple delivery. (Timestamps can be used to limit the timespan for which mixes have to remember which messages they have already processed; see [5] and [6].) Usually it is desireable to allow source routing, i.e. let senders choose mix chains on a per-message basis. This increases the flexibility of the whole scheme: senders can make use of new mixes that go into operation, and they can avoid mixes that appear not to work properly; in particular, they can avoid mixes that suppress messages (be it intentionally or because of technical problems). For source routing, in the recursively encrypted message, each layer must contain the address of the next mix in the chain so that each mix knows where to forward the message. A problem with the straightforward implementation of source routing is that messages will shrink as they proceed through the chain, not only because of the forwarding address for each layer that must be included, but also because public-key encryption increases message sizes. For optimal untraceability, we need length-preserving mixes: the messages that mixes receive should essentially look like the resulting messages that they forward to other mixes. A construction of length-preserving mixes is given in [5] (a variant of this is used in fielded systems [12]): mix messages consist of a fixed number of slots of a fixed size. The first slot is public-key encrypted so that it can be read the first mix in the chain. Besides control information directed at the respective mix (such as the address of the next mix in the chain or, in case of the last mix, the address of the final recipient), decryption yields a symmetric key that the mix uses to decrypt all the other slots. Then slots are shifted by one position: the decryption of the second slot becomes the new first slot, and so on. A new final slot is added consisting of random (garbage) data to obtain a mix message of the desired fixed length, which can the be forwarded to the next mix. On the way through the chain, each mix message consists of a number of slots with valid data followed by enough slots with garbage to fill all available slots; mixes are oblivious of how many slots contain valid data and how many are random. Each mix in the chain, when decrypting and shifting the slots, will decrypt the garbage slots already present and add a new final slot, thus increasing the number of random slots by one. We note that while the transformation of an incoming mix message to the corresponding outgoing mix message is lengthpreserving, the decryption step itself is actually length-expanding because some of the data obtained by decryption is control data directed at the current mix. The problem with this method for obtaining a hybrid public-key cryptosystem with length-expanding decryption is that it is not secure against active attacks: assume that an adversary controls at least one mix, and that all senders submit well-formed messages. Now when the victim submits a message, the ad- 2
3 versary can mark it by modifying one of the slots. This mark will persist as the message is forwarded through the mix chain: due to the decryption and slot shifting performed by each mix, the corresponding slot will essentially contain garbage. If the final mix is controlled by the adversary, the adversary may be able to notice the modification and thus break untraceability. To rule out such attacks, the hybrid public-key cryptosystem should provide security against adaptive chosen ciphertext attacks (CCA security): that is, it should be secure against an adversary who can request the decryption of arbitrary ciphertexts. In this paper, we present a secure and practical hybrid construction for length-preserving mixes, which is also more flexible than the slot-based approach. The standard notion of CCA security for public-key cryptosystems is not applicable to our hybrid public-key cryptosystem with length-expanding decryption because the encryption operation must be defined differently for our application: encryption cannot be treated as an atomic black-box operation that takes a plaintext and returns a ciphertext in this model, we cannot have lengthextending decryption. Rather, our encryption process first is input part of the desired ciphertext and determines a corresponding part of what will be the decryption result (it is this step that provides length expansion); then it is input the payload plaintext and finally outputs the complete ciphertext, which includes the portion requested in the first input. We describe the hybrid construction in section 2. Section 3 discusses appropriate security notions and gives a provable security result for the construction. This paper shows for the first time how to implement length-preserving mixes cryptographically secure against active attacks. We use many ideas and techniques described by Cramer and Shoup in [7], but adapt them to fit the new notions of security needed in the context of length-preserving mixes. 1.1 Notation Strings are binary, i.e. elements of {0, 1}. The concatenation of strings s and t is denoted s t. The length of string s is s. For s w, prefix w (s) denotes the string consisting of the leftmost w bits of s; thus, prefix s (s t) = s. Messages (plaintexts, ciphertexts) are strings. Algorithms are usually probabilistic (randomized). 2 A Construction for Length-Preserving Mixes Our construction allows much flexibility in the choice of cryptographic schemes, even in a single chain. The single parameter that must be fixed for all mixes is the desired mix message length l. Also it may be desireable to define a maximum length for the actual message payload, i.e. the part of the plaintext as recovered by the final mix that can be chosen by the sender: as a message proceeds through the mix chain, more and more of the data will be pseudo-random gibberish; the length of the useful part of the final plaintext reveals that chains leaving less 3
4 than this amount cannot have been used. The length n of the mix chain need not be fixed. For purposes of exposition, we number the mixes M 1,..., M n according to their position in the chain chosen by the sender (note that the same mix might appear multiple times in one chain). For each mix M i, the following must be defined and, with the exception of the secret key SK Mi, known to senders who want to use the mix: A key encapsulation mechanism and a key pair KEM Mi (PK Mi, SK Mi ) consisting of a public key PK Mi and a secret key SK Mi for this key encapsulation mechanism. A key encapsulation mechanism, similarly to a public-key encryption mechanism, provides an algorithm KEM Mi.Encrypt using the public key and an algorithm KEM Mi.Decrypt using the secret key. In contrast with public-key encryption, the first algorithm takes no input apart from the public key: KEM Mi.Encrypt(PK Mi ) generates a ciphertext K of a fixed length KEM Mi.CipherLen corresponding to a (pseudo-)random string K of a fixed length KEM Mi.OutLen and outputs the pair (K, K). Evaluation of KEM Mi.Decrypt(SK Mi, K) will return said string K. That is, ciphertext K encapsulates the random message K (which can be used as a key for symmetric-key cryptography). On arbitrary inputs K, the computation KEM Mi.Decrypt(SK Mi, K) may either return some string K or fail (return the special value invalid). Associated with key encapsulation mechanism KEM Mi is a key generation algorithm KEM Mi.KeyGen that returns appropriate key pairs (PK, SK). If M i is a correctly operating mix, its key pair (PK Mi, SK Mi ) has been generated by this algorithm. (Otherwise PK Mi may have been constructed differently; it might even be invalid in the sense that there is no corresponding secret key SK Mi that could be used for decryption.) Note that we use no explicit security parameter, so desired key sizes are implicit to KEM Mi.KeyGen. 4
5 One example of a key encapsulation mechanism is the Diffie-Hellman key exchange [8] with static keys for one party and ephemeral keys for the other party where the concatenation of the ephemeral public key with the common secret group element is hashed to obtain a symmetric key (cf. [1], [14]); KEM Mi.CipherLen can be kept particularly small for elliptic curve Diffie- Hellman using just x coordinates of points (see [11]). Specifications for various key encapsulation mechanisms can be found in [14]. A one-time message authentication code with key length and output length MAC Mi MAC Mi.KeyLen MAC Mi.OutLen. A one-time message authentication code specifies an efficient deterministic algorithm that takes as input a key K of length MAC Mi.KeyLen and a bit string s and returns a string MAC Mi (K, s) of length MAC Mi.OutLen. In our construction, MAC Mi will only be used for strings s of fixed length l KEM Mi.CipherLen MAC Mi.OutLen. Candidate one-time message authentication codes are UHASH [9] 1 and HMAC [2]. A pseudo-random bit string generator taking as input a key K of length STREAM Mi STREAM Mi.KeyLen and deterministically generating an output string STREAM Mi (K) of length STREAM Mi.OutLen. This will be used for an XOR-based stream cipher. A convenient example implementation is the so-called counter mode of a block cipher (the output sequence is the prefix of appropriate length of E K (0) E K (1) E K (2)... where E K denotes block cipher encryption using key K; see [3] and [10]). An integer PlainLen Mi specifying the length of the prefix of each decrypted message that is considered control data directed to mix M Mi and will not be forwarded. (This is the amount of message expansion: the decrypted message minus the prefix must be of size l because that is what will be sent to the next mix.) 1 UHASH is the combination of a key derivation function with an almost strongly universal hash function [15] and is the core of UMAC as specified in [9]. Note that the security arguments provided for the earlier version of UMAC in [4] are based on a different approach. 5
6 The parameters must fulfil the following conditions: 2.1 Encryption KEM Mi.CipherLen + MAC Mi.OutLen + PlainLen Mi < l (1) KEM Mi.OutLen = STREAM Mi.KeyLen + MAC Mi.KeyLen (2) STREAM Mi.OutLen = PlainLen Mi + l (3) We now describe encryption for sending a message through a chain M 1,..., M n. Let payload be the message of length payload = l (KEM Mi.CipherLen + MAC Mi.OutLen + PlainLen Mi ) (4) 1 i n (messages shorter than this maximum should be randomly padded on the right). For each i, let plain i be the control message of length PlainLen Mi directed to the respective mix. The encryption algorithm for these arguments is denoted or chain encrypt M1,...,M n (plain 1,..., plain n ; payload) chain encrypt M1,...,M n (plain 1,..., plain n ; payload; λ) where λ is the empty string. The algorithm is defined recursively. Let 1 i n, and let C i be a string of length C i = (KEM Mk.CipherLen + MAC Mk.OutLen + PlainLen Mk ) (5) 1 k<i (thus specifically C 1 = 0). Then algorithm works as follows: chain encrypt Mi,...,M n (plain i,..., plain n ; payload; C i ) 1. Use KEM Mi.Encrypt(PK Mi ) to generate a pair (K i, K i ). 2. Split K i in the form K i = K i,mac K i,stream such that K i,mac = MAC Mi.KeyLen (so K i,stream = STREAM Mi.KeyLen by (2)). 3. Compute STREAM Mi (K i,stream ) and split this string in the form stream i,l stream i,r such that the left part stream i,l is of length l C i KEM Mi.CipherLen MAC Mi.OutLen and the right part stream i,r accordingly, by (3), is of length C i + KEM Mi.CipherLen + MAC Mi.OutLen + PlainLen Mi. 6
7 4. If i = n (last mix), then by (4) and (5) it follows that stream n,l = PlainLen n + payload. In this case, set Otherwise, let C n = ( stream n,l (plain n payload) ) C n. C i+1 = stream i,r (C i 0 KEM M i.cipherlen+mac Mi.OutLen+PlainLen Mi ), by recursion compute and let x i = chain encrypt Mi+1,...,M n (plain i+1,..., plain n ; payload; C i+1 ), C i = ( stream i,l (plain i prefix streami,l PlainLen Mi (x i )) ) C i. 5. Compute M i = MAC i (K i,mac, C i ). 6. Return the ciphertext K i M i C i, which is of length l. Appendix A.1 illustrates a ciphertext generated by chain encrypt M1,...,M n. 2.2 Decryption The decryption algorithm for mix M i (1 i n) works as follows, given a length-l ciphertext K M C (split into its three components according to parameters KEM Mi.CipherLen = K and MAC Mi.OutLen = M ). We denote it mix decrypt Mi (K M C). Remember that M i in general is not aware of the mix chain used by the sender or even of its own position i in the chain. 1. Compute K = KEM Mi.Decrypt(SK Mi, K). If this computation fails, abort with an error (return invalid). 2. Split K in the form K = K MAC K STREAM such that K MAC = MAC Mi.KeyLen. 3. Compute M = MAC Mi (K MAC, C) and test whether M = M. If this is not the case, abort with an error (return invalid). 4. Compute the string of length STREAM Mi.OutLen. stream = STREAM Mi (K STREAM ) 7
8 5. Compute stream (C 0 KEM M i.cipherlen+mac Mi.OutLen+PlainLen Mi ) and split the resulting string in the form plain i P where plain i is of length PlainLen Mi 6. Return the pair (plain i, P ). (and thus, by (3), P is of length l). If this algorithm finishes without an error, plain i is a control message directed to the current mix, and P is the message to be forwarded to another mix or to the final recipient (as requested by the control message). It is straightforward to verify that for ciphertexts computed as chain encrypt M1,...,M n (plain 1,..., plain n ; payload), iterative decryption by mixes M 1,..., M n will indeed work without an error and recover the respective strings plain i and finally also the message payload concatenated with some (useless) extra data. Appendix A.2 illustrates decryption. 3 Provable Security The mix concept is intended to provide security when at least one mix can be trusted and behaves correctly. (However note that denial-of-service attacks by incorrectly operating mixes cannot be ruled out, the only option is to avoid mixes that appear to malfunction.) Thus we assume that some mix M i works as expected while all other mixes are controlled by the adversary and may not follow the protocol (also the cryptographic schemes KEM Mj, MAC Mj, and STREAM Mj associated with mixes M j, j i, might be not secure). This leaves only M i to be attacked: outer layers of encryption for mixes that appear before M i in a mix chain are easily removed by the adversary and thus are not relevant for security; and inner layers of encryption for mixes that appear after M i in a mix chain are involved in the encryption process chain encrypt Mi,...,M n (plain i,..., plain n ; payload; C i ) described in section 2.1, but cannot provide protection against the adversary. Section 3.1 shows how the security of the mix construction can be captured formally. We then provide security definitions for the underlying key encapsulation method (section 3.2), one-time message authentication code (section 3.3), and pseudo-random bit string generator (section 3.4). Finally, section 3.5 presents a security result that relates the security of the mix encryption scheme to the security of these cryptographic schemes: we will see that if the mix encryption scheme is not secure, then this is because one of the underlying cryptographic schemes is not secure. 8
9 3.1 Security of the Mix Encryption Scheme To show that our construction for length-preserving mixes is secure, we want to model an active adversary who is able to launch an adaptive chosen ciphertext attack (CCA). Due to the recursive nature of our encryption algorithm for mix chains, we cannot directly apply the usual CCA definitions for ordinary publickey encryption; we adapt the attack game described in [7, section 3.2] (which goes back to [13]) as follows to take into account the special properties of our construction: 1. The adversary queries a key generation oracle, which uses KEM Mi.KeyGen to compute a key pair (PK, SK) and responds with PK (and secretly stores SK). 2. The adversary makes a sequence of queries to a decryption oracle. Each query is an arbitrary string s of length l, and the oracle responds with mix decrypt Mi (s), using the secret key SK from step 1. That is, each oracle response is either a pair (plain, P ) where plain = PlainLen Mi and P = l, or the special value invalid. 3. The adversary uses an interactive encryption oracle as follows (compare with the encryption algorithm in section 2.1): First the adversary submits some string C i subject only to the condition that 0 C i < l KEM Mi.CipherLen MAC Mi.OutLen. The interactive encryption oracle uses KEM Mi.Encrypt(PK) to generate a pair (K oracle, K oracle ) and splits K oracle in the form K oracle = K MAC K STREAM such that K MAC = MAC Mi.KeyLen; it computes STREAM Mi (K STREAM ) and splits the resulting string stream in the form stream = stream L stream R such that stream L = l C i KEM Mi.CipherLen MAC Mi.OutLen; and it computes C i+1 = stream R (C i 0 KEM M i.cipherlen+mac Mi.OutLen+PlainLen Mi ) and sends C i+1 to the adversary. The adversary submits a pair of strings (m 0, m 1 ) satisfying m 0 = m 1 = l C i KEM Mi.CipherLen MAC Mi.OutLen. 9
10 The interactive encryption oracle chooses a uniformly random bit b {0, 1}, determines C = (stream L m b ) C i and and responds with M = MAC Mi (K MAC, C i ), K oracle M C. 4. The adversary again makes a sequence of queries to a decryption oracle as in step 2, except that this time the decryption oracle refuses being asked for the challenge ciphertext K oracle M C from step 3 (it returns invalid for this case). 5. The adversary outputs a bit b {0, 1}. The bit b output by the adversary is its guess for the value of b. The essential difference to the attack game for ordinary public-key encryption is that we have made the encryption oracle interactive to reflect the recursiveness of the encryption algorithm for mix chains, where encryption to mixes later in the chain than M i can have potentially arbitrary effects on a large part of the plaintext. Let A be any adversary (interactive probabilistic algorithm with bounded runtime) in the above attack game. Its CCA advantage against M i s instantiation of the mix encryption scheme is AdvCCA Mi,A = Pr [ b ] ] = 1 b = 1 Pr [ b = 1 b = Security of the Key Encapsulation Mechanism CCA security for the key encryption mechanism KEM Mi is defined through the following attack game (cf. [7, section 7.1.2]): 1. The adversary queries a key generation oracle, which uses KEM Mi.KeyGen to compute a key pair (PK, SK) and responds with PK. 2. The adversary makes a sequence of queries to a decryption oracle. Each query is an arbitrary string s of length KEM Mi.CipherLen; the oracle responds with KEM Mi.Decrypt(SK, s). Thus each oracle response is either a string of length KEM Mi.OutLen or the special value invalid. 3. The adversary queries an encryption oracle, which works as follows: it uses KEM Mi.Encrypt(PK) to obtain a pair (K 0, K oracle ), it generates a uniformly randomly string K 1 such that K 0 = K 1, chooses a uniformly random bit b KEM {0, 1}, and responds with (K bkem, K oracle ). 4. The adversary again makes a sequence of queries to a decryption oracle as in step 2, but this time the oracle refuses the specific query K oracle and responds invalid in this case. 10
11 5. The adversary outputs a bit b KEM {0, 1}. The CCA advantage of an adversary A 1 (an interactive probabilistic algorithm with bounded runtime) against KEM Mi in this attack game is AdvCCA KEMMi,A 1 = Pr [ bkem = 1 b KEM = 1 ] Pr [ bkem = 1 b KEM = 0 ]. 3.3 Security of the One-Time Message Authentication Code To define the security of MAC Mi, we use the following attack game (cf. [7, section 7.2.2]: 1. The adversary submits a string s (which for our purposes may be assumed to be of fixed length l KEM Mi.CipherLen MAC Mi.OutLen) to an oracle. The oracle generates a uniformly random string K of length MAC Mi.KeyLen and responds with MAC Mi (K, s). 2. The adversary outputs a list (s 1, t 1 ), (s 2, t 2 ),..., (s m, t m ) of pairs of string. An adversary A 2 again is an interactive probabilistic algorithm with bounded runtime; the runtime bound implies a bound on the list length m. We say that adversary A 2 has produced a forgery if s k s and MAC Mi (K, s k ) = t k for some k (1 k m). Its advantage against MAC Mi, denoted AdvForge MACMi,A 2, is the probability that it produces a forgery in the above game. 3.4 Security of the Pseudo-Random Bit String Generator To define the security of STREAM Mi, we use the following attack game: 1. The adversary queries an oracle. The oracle generates a uniformly random string K of length STREAM Mi.KeyLen, computes stream 0 = STREAM Mi (K), generates a uniformly random string stream 1 with stream 0 = stream 1, chooses a uniformly random bit b STREAM {0, 1}, and responds with stream b. 2. The adversary outputs a bit b STREAM {0, 1}. The advantage of an adversary A 3 (again an interactive probabilistic algorithm with bounded runtime) against STREAM Mi is Adv STREAMMi,A 3 = Pr [ bstream ] 1 = b STREAM Security Result Let A be an adversary A against the mix encryption scheme attacking a mix M i as described in section 3.1. It can be shown that there are adversaries A 1, A 2, A 3 against KEM Mi, MAC Mi, STREAM Mi all having essentially the same runtime as A such that AdvCCA Mi,A 2 (AdvCCA KEMMi,A 1 + AdvForge MACMi,A 2 + Adv STREAMMi,A 3 ). The proof uses standard techniques; details can be found in appendix B. 11
12 References 1. Abdalla, M., Bellare, M., and Rogaway, P. DHAES: An encryption scheme based on the Diffie-Hellman problem. Submission to IEEE P1363a Bellare, M., Canetti, R., and Krawczyk, H. Keying hash functions for message authentication. In Advances in Cryptology CRYPTO 96 (1996), N. Koblitz, Ed., vol of Lecture Notes in Computer Science, pp Bellare, M., Desai, A., Jokipii, E., and Rogaway, P. A concrete security treatment of symmetric encryption. In 38th Annual Symposium on Foundations of Computer Science (FOCS 97) (1997), IEEE Computer Society, pp Black, J., Halevi, S., Krawczyk, H., Krovetz, T., and Rogaway, P. UMAC: Fast and secure message authentication. In Advances in Cryptology CRYPTO 99 (1999), M. Wiener, Ed., vol of Lecture Notes in Computer Science, pp Chaum, D. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24 (1981), Cottrell, L. Mixmaster & r er attacks. r er/r er-essay.html, Cramer, R., and Shoup, V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. Manuscript, Diffie, W., and Hellman, M. E. New directions in cryptography. IEEE Transactions on Information Theory 22, 6 (1976), Krovetz, T., Black, J., Halevi, S., Hevia, A., Krawczyk, H., and Rogaway, P. UMAC: Message authentication code using universal hashing. Internet-Draft draft-krovetz-umac-01.txt, ~rogaway/umac/, Lipmaa, H., Rogaway, P., and Wagner, D. Comments to NIST concerning AES modes of operation: CTR-mode encryption. modes/workshop1/papers/lipmaa-ctr.pdf, Miller, V. S. Use of elliptic curves in cryptography. In Advances in Cryptology CRYPTO 85 (1986), H. C. Williams, Ed., vol. 218 of Lecture Notes in Computer Science, pp Mixmaster anonymous r er software. mixmaster/. 13. Rackoff, C. W., and Simon, D. R. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology CRYPTO 91 (1992), J. Feigenbaum, Ed., vol. 576 of Lecture Notes in Computer Science, pp Shoup, V. A proposal for an ISO standard for public key encryption. Version 2.1, December 20, Wegman, M. N., and Carter, J. L. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22 (1981),
13 A Illustrations A.1 Encryption We depict a ciphertext generated by the encryption algorithm chain encrypt M1,M 2,M 3 (plain 1, plain 2, plain 3 ; payload) as described in section 2.1. In the illustration, we have concatenation horizontally and XOR vertically (i.e. boxes in the same row represent bit strings that are concatenated, and the ciphertext is the XOR of the multiple rows shown). plain 1 K 2 M 2 stream 2,L K 1 M 1 stream 1,L plain 3 payload plain 2 K 3 M 3 stream 3,L A.2 Decryption The result obtained by mix M 1 when applying the decryption algorithm from section 2.2 to the ciphertext from appendix A.1 is composed as follows: plain 3 payload plain 2 K 3 M 3 stream 3,L plain 1 K 2 M 2 stream 2,L stream 1,R The string plain 1 is directed to M 1. The remainder of the decryption result is a ciphertext that should be forwarded to the next mix in the chain, M 2, which will then obtain the following result: plain 3 payload plain 2 K 3 M 3 stream 3,L stream 1,R stream 2,R Similarly, mix M 3 will obtain the following final decryption result: plain 3 payload stream 1,R stream 2,R stream 3,R 13
14 B Security Proof We prove the security result for the mix encryption scheme given in section 3.5. Let G 0 denote the attack game from section 3.1. We will modify it in multiple steps, essentially disabling the underlying cryptographic schemes (key encryption method, one-time message authentication code, and pseudo-random bit string generator) one after another. G 1 is like G 0 except that a uniformly random string is used for K oracle, whereas K oracle is still generated by KEM Mi.Encrypt(PK). In the decryption oracle, K is substituted whenever KEM Mi.Decrypt(SK, K oracle ) would have to be computed. G 2 is like G 1 except that the decryption oracle always responds with invalid when faced with any query prefixed with string K oracle. (This applies to both step 2 and step 4 in section 3.1. Thus, the invocation of KEM Mi.Encrypt(PK) to generate (K oracle, K oracle ) must be advanced from step 3 to an earlier step; this is only a descriptive change, it does not affect the behaviour observed by the adversary.) G 3 is like G 2 except that the interactive encryption oracle uses a uniformly random string stream instead of computing STREAM Mi (K STREAM ). Now we consider an adversary A as in section 3.1, exposed to these different attack games] G x, 0 x 3, and look at the respective success probabilities Pr Gx [ b = b. Based on A, adversaries A1, A 2, A 3 against KEM Mi, MAC Mi, STREAM Mi will be built all having essentially the same runtime as A. A 1 attacks KEM Mi as follows (cf. section 3.2). At first, it generates b {0, 1} uniformly at random. Then, it runs the adversary A; when A queries its decryption oracle, A 1 uses its own decryption oracle to perform the decryption algorithm from section 2.2, and when A queries its encryption oracle, A 1 queries its own encryption oracle to obtain a pair (K oracle, K oracle ) and performs step 3 from section 3.1 using this pair and the pregenerated bit b. Finally, when A outputs its bit b, A 1 outputs 1 if b = b and 0 otherwise. Observe that ] ] Pr G1 [ b = b Pr G0 [ b = b = AdvCCAKEMMi,A 1 (G 0 corresponds to b KEM = 0, G 1 corresponds to b KEM = 1 in section 3.2). A 2 attacks MAC Mi as follows (cf. section 3.3). At first, it generates b {0, 1} and a string K oracle of length KEM Mi.OutLen uniformly at random. Then, it runs the adversary A, playing the roles of the key generation oracle, decryption oracle, and interactive encryption oracle, substituting the pregenerated string K oracle and the pregenerated bit b in step 3 of section 3.1. Whenever A submits a query K M C to the decryption oracle, A 2 adds the pair (C, M) to its own output (A s final output bit b is ignored). Observe that ] ] Pr G2 [ b = b Pr G1 [ b = b AdvForgeMACMi,A 2 (G 2 behaves differently from G 1 only if a forgery has been produced). 14
15 A 3 attacks STREAM Mi as follows (cf. section 3.4). First, it generates b {0, 1} and a string K oracle of length KEM Mi.OutLen uniformly at random. Then, it runs the adversary A, playing the roles of the key generation oracle, decryption oracle, and interactive encryption oracle, substituting the pregenerated string K oracle and the pregenerated bit b in step 3 of section 3.1. When A outputs its bit b, A 3 outputs 1 if b = b and 0 otherwise. Observe that ] ] Pr G3 [ b = b Pr G2 [ b = b = AdvSTREAMMi,A 3 (G 2 corresponds to b STREAM = 0, G 3 corresponds to b STREAM = 1 in section 3.4). ] Finally observe that Pr G3 [ b = b = 1 2. From this we obtain the inequality AdvCCA Mi,A = Pr ] G 0 [ b = b = 2 1 x 3 ( Pr Gx [ b = b ] Pr Gx 1 [ b = b ] ) 2 (AdvCCA KEMMi,A 1 + AdvForge MACMi,A 2 + Adv STREAMMi,A 3 ), which concludes our security proof. 15
Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes
Appears in M. Joye (Ed.): Topics in Cryptology CT-RSA 2003, Springer-Verlag LNCS 2612, pp. 244 262, ISBN 3-540-00847-0. Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes Bodo Möller
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationA Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004
A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security T. Shrimpton October 18, 2004 Abstract In this note we introduce a variation of the standard definition of chosen-ciphertext
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationA Public-Key Encryption Scheme with Pseudo-random Ciphertexts
A Public-Key Encryption Scheme with Pseudo-random Ciphertexts Bodo Möller University of California, Berkeley bmoeller@eecs.berkeley.edu Abstract. This work presents a practical public-key encryption scheme
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationThe Extended Codebook (XCB) Mode of Operation
The Extended Codebook (XCB) Mode of Operation David A. McGrew and Scott Fluhrer Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95032 {mcgrew,sfluhrer}@cisco.com October 25, 2004 Abstract We describe
More informationA Designer s Guide to KEMs. Errata List
A Designer s Guide to KEMs Alexander W. Dent Information Security Group, Royal Holloway, University of London, Egham Hill, Egham, Surrey, U.K. alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationConcrete Security of Symmetric-Key Encryption
Concrete Security of Symmetric-Key Encryption Breno de Medeiros Department of Computer Science Florida State University Concrete Security of Symmetric-Key Encryption p.1 Security of Encryption The gold
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationWeak adaptive chosen ciphertext secure hybrid encryption scheme
Weak adaptive chosen ciphertext secure hybrid encryption scheme Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:luxianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationThe Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model
The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model Alexander W. Dent Royal Holloway, University of London Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk Abstract. In this paper
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationRandom Oracles - OAEP
Random Oracles - OAEP Anatoliy Gliberman, Dmitry Zontov, Patrick Nordahl September 23, 2004 Reading Overview There are two papers presented this week. The first paper, Random Oracles are Practical: A Paradigm
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationEfficient chosen ciphertext secure PKE scheme with short ciphertext
Efficient chosen ciphertext secure PKE scheme with short ciphertext Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:lu xianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationOutline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 4 Department of Electrical and Computer Engineering Cleveland State University wenbing@ieee.org Outline Review
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationRequest for Comments: 3566 Category: Standards Track Intel September The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec
Network Working Group Request for Comments: 3566 Category: Standards Track S. Frankel NIST H. Herbert Intel September 2003 Status of this Memo The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec This
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationCryptography MIS
Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationSIGNCRYPTION WITH NON-INTERACTIVE NON-REPUDIATION
SIGNCRYPTION WITH NONINTERACTIVE NONREPUDIATION JOHN MALONELEE ABSTRACT Signcryption [35] is a public key primitive that achieves the functionality of both an encryption scheme and a signature scheme simultaneously
More informationAccredited Standards Committee X9, Incorporated
Accredited Standards Committee X9, Incorporated The following document contains excerpts from draft standard of the Accredited Standards Committee, X9, Inc. (ASC X9) entitled ANS X9.102- Wrapping of Keys
More informationA Proposal for an ISO Standard for Public Key Encryption
A Proposal for an ISO Standard for Public Key Encryption Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com February 13, 2001 Abstract This document should
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationNotes for Lecture 21. From One-Time Signatures to Fully Secure Signatures
U.C. Berkeley CS276: Cryptography Handout N21 Luca Trevisan April 7, 2009 Notes for Lecture 21 Scribed by Anand Bhaskar, posted May 1, 2009 Summary Today we show how to construct an inefficient (but efficiently
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationPractical Symmetric On-line Encryption
Practical Symmetric On-line Encryption Pierre-Alain Fouque, Gwenaëlle Martinet, and Guillaume Poupard DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France Pierre-Alain.Fouque@ens.fr
More informationLecture Note 05 Date:
P.Lafourcade Lecture Note 05 Date: 29.09.2009 Security models 1st Semester 2008/2009 MANGEOT Guillaume ROJAT Antoine THARAUD Jrmie Contents 1 Block Cipher Modes 2 1.1 Electronic Code Block (ECB) [Dwo01]....................
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationImproved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption
Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationRandom Oracle Instantiation in Distributed Protocols Using Trusted Platform Modules
Appeared in the 3rd IEEE Symposium on Security in Networks and Distributed Systems, 2007, pp. 463 469. Random Oracle Instantiation in Distributed Protocols Using Trusted Platform Modules Vandana Gunupudi
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationLectures 6+7: Zero-Leakage Solutions
Lectures 6+7: Zero-Leakage Solutions Contents 1 Overview 1 2 Oblivious RAM 1 3 Oblivious RAM via FHE 2 4 Oblivious RAM via Symmetric Encryption 4 4.1 Setup........................................ 5 4.2
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationEEC-484/584 Computer Networks
EEC-484/584 Computer Networks Lecture 23 wenbing@ieee.org (Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review of last lecture Introduction to
More informationLecture 8. 1 Some More Security Definitions for Encryption Schemes
U.C. Berkeley CS276: Cryptography Lecture 8 Professor David Wagner February 9, 2006 Lecture 8 1 Some More Security Definitions for Encryption Schemes 1.1 Real-or-random (rr) security Real-or-random security,
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationMessage Authentication with MD5 *
Message Authentication with MD5 * Burt Kaliski and Matt Robshaw RSA Laboratories 100 Marine Parkway, Suite 500 Redwood City, CA 94065 USA burt@rsa.com matt@rsa.com Message authentication is playing an
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationSecurity of Identity Based Encryption - A Different Perspective
Security of Identity Based Encryption - A Different Perspective Priyanka Bose and Dipanjan Das priyanka@cs.ucsb.edu,dipanjan@cs.ucsb.edu Department of Computer Science University of California Santa Barbara
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationWhat Can Be Proved About Security?
What Can Be Proved About Security? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Centre for Artificial Intelligence and Robotics Bengaluru 23 rd
More informationProtocols for Authenticated Oblivious Transfer
Protocols for Authenticated Oblivious Transfer Mehrad Jaberi, Hamid Mala Department of Computer Engineering University of Isfahan Isfahan, Iran mehrad.jaberi@eng.ui.ac.ir, h.mala@eng.ui.ac.ir Abstract
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 11 Basic Cryptography Objectives Define cryptography Describe hashing List the basic symmetric cryptographic algorithms 2 Objectives
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationA New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4
IJSRD - International Journal for Scientific Research & Development Vol. 2, Issue 08, 2014 ISSN (online): 2321-0613 A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam
More informationEfficiency Optimisation Of Tor Using Diffie-Hellman Chain
Efficiency Optimisation Of Tor Using Diffie-Hellman Chain Kun Peng Institute for Infocomm Research, Singapore dr.kun.peng@gmail.com Abstract Onion routing is the most common anonymous communication channel.
More informationBlockwise-Adaptive Attackers
Blockwise-Adaptive Attackers Revisiting the (In)Security of Some Provably Secure Encryption Modes: CBC, GEM, IACBC Antoine Joux, Gwenaëlle Martinet, and Frédéric Valette DCSSI Crypto Lab 18, rue du Docteur
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationCourse Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key
More informationAuthenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol
Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat
More informationLecture 10. Data Integrity: Message Authentication Schemes. Shouhuai Xu CS4363 Cryptography Spring
Lecture 10. Data Integrity: Message Authentication Schemes Shouhuai Xu CS4363 Cryptography Spring 2007 1 Roadmap Problem Statement Definition Constructions Remarks Shouhuai Xu CS4363 Cryptography Spring
More informationAn Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem
An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem Mihir Bellare, Alexandra Boldyreva and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 25 April 18, 2012 CPSC 467b, Lecture 25 1/44 Anonymous Communication DISSENT- Accountable Anonymous
More informationPublic Key Encryption. Modified by: Dr. Ramzi Saifan
Public Key Encryption Modified by: Dr. Ramzi Saifan Prime Numbers Prime numbers only have divisors of 1 and itself They cannot be written as a product of other numbers Prime numbers are central to number
More informationLectures 4+5: The (In)Security of Encrypted Search
Lectures 4+5: The (In)Security of Encrypted Search Contents 1 Overview 1 2 Data Structures 2 3 Syntax 3 4 Security 4 4.1 Formalizing Leaky Primitives.......................... 5 1 Overview In the first
More informationHistory of message integrity techniques
History of message integrity techniques Chris Mitchell 17th January 2008 1 Contents of talk 1. CBC-MACs 2. Standardised CBC-MACs 3. EMAC and ARMAC 4. New CBC-MAC schemes 5. RMAC 6. The XCBC family 7. Other
More informationStream Ciphers. Koç ( ucsb ccs 130h explore crypto fall / 13
Stream Ciphers Çetin Kaya Koç http://cs.ucsb.edu/~koc koc@cs.ucsb.edu Koç (http://cs.ucsb.edu/~koc) ucsb ccs 130h explore crypto fall 2014 1 / 13 Block Ciphers Plaintext: M i with M i = n, where n is the
More informationStream Ciphers. Çetin Kaya Koç Winter / 13
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 13 Block Ciphers Cryptography Plaintext: M i with M i = n, where n is the block length (in bits) Ciphertext: C i with C i = m, where m n, however,
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More information